Access Control (v0.1) Ben Laurie ([email protected]) March 13, 2009

1

Introduction

Access control is central to computer security. Traditionally, we wish to restrict the user to exactly what he should be able to do, no more and no less. You might think that this only applies to legitimate users: where do attackers fit into this worldview? Of course, an attacker is a user whose access should be limited just like any other. Increasingly, of course, computers expose services that are available to anyone – in other words, anyone can be a a legitimate user. As well as users there are also programs we would like to control. For example, the program that keeps the clock correctly set on my machine should be allowed to set the clock and talk to other time-keeping programs on the Internet, and probably nothing else1 . Increasingly we are moving towards an environment where users choose what is installed on their machines, where their trust in what is installed is highly variable2 and where “installation” of software is an increasingly fluid concept, particularly in the context of the Web, where merely viewing a page can cause code to run. In this paper I explore an alternative to the traditional mechanisms of roles and access control lists. Although I focus on the use case of web pages, mashups and gadgets, the technology is applicable to all access control.

2

Access Controls Based on Roles

Of course, in reality, we are never actually controlling the user’s access – instead we are controlling programs that act on his behalf. Traditionally we have taken the view that the program itself is trustworthy: that is, that it will faithfully carry out the wishes of the user who is controlling it. For that reason, traditional access control has focused on controls based on the identity of the user running the program. In practice we use roles rather than users because of messiness in the real world: • Sometimes there isn’t really a particular person associated with an activity we’d like to control: for example, if we are running a nuclear power plant, the entities we wish to be in control are identified by their role, such as ”engineer in charge” or ”janitor”. It is the role we wish to grant permission to, not the person. • People come and go. When somebody starts a job they acquire a new role (or roles), and when they leave they lose the role. • People are fallible: it is useful for their own safety to limit their powers to their current role so that mistakes are less costly. But increasingly we are moving to a world where the user cannot trust the program he is running. Even if we look at traditional environments the devolution of control away from the data centre and professional IT staff and 1 Perhaps it should also be allowed a little long-term storage, for example to keep its calculation of the drift of the native clock. 2 A user probably trusts their operating system more than their browser, their browser more than the pages they browse to and some pages more than others.

1

towards the end user himself means there are programs running on peoples’ machines that they have no idea how much to trust, and nor do they have any way to evaluate those programs. If we look at the Web, particular the modern trend towards mashups, gadgets and single-domain3 applications (e.g. Twitter, Flickr, Dopplr) we see this problem in spades. Applications are webpages, users switch between applications, including to completely new ones, at the click of a mouse. With mashups and gadgets the user is not even running a single program but multiple programs from multiple sources all sharing the same page. Yet we are still trying to control everything with access controls based on roles (ACBR)4 . This makes no sense at all. The user has no way to sensibly create roles and the permissions associated with them. Even if they had, the task of assigning those roles to the various components of, say, a web page would be impossible. Of course, I would not be saying all this if I did not think there was a better way. There is: capabilities. A capability can be thought of as a “handle” representing some operation on some object. Possession of the capability is all that is required to perform that operation. The security of a capability system then boils down to your ability to control who5 has each capability. Some examples of capabilities are: • Read this particular file. • Write the same file (note that this is a completely different capability from the read capability). • Pay money into my bank account. • Pay money into your bank account. • Take money out of my bank account. Each of these capabilities is completely independent of all the others. I cannot derive a read capability from a write capability, nor vice versa. I cannot take money out of your bank account just because I can pay it in. Note, however, that it is possible to derive new capabilities from old ones, for example: • Write only well-formed HTML to some file, derived from the capability to write to the file. • Write a safe subset of HTML to some file (for example, banning

Recommend Documents

Access Control (v0.1) - Ben Laurie
particularly in the context of the Web, where merely viewing a page can cause code to run. ... 3Single problem domain, that is, not DNS domain. 4I avoid ..... and buy something on my behalf using that capability ... or steal the money from me.
Access Control (v0.1) - Ben Laurie
8The laptop produced by the One Laptop Per Child project[4]. 4 .... Examples of the operating system approach are Keykos[9], Amoeba[17],. EROS[14] and ...
Keyless Access Control Policy.pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. Keyless Access ...
freedom parkway access control plan -
brought into compliance with spacing criteria or eliminated. Change of use is defined as a use substantially different from the previous use of a building or land.
Ben Howard.pdf
sluppet taket for lenge siden. Page 1 of 1. Ben Howard.pdf. Ben Howard.pdf. Open. Extract. Open with. Sign In. Main menu. Displaying Ben Howard.pdf. Page 1 ...
Ben-Youssef_Nadia.pdf
Sign in. Page. 1. /. 1. Loading… Page 1. Ben-Youssef_Nadia.pdf. Ben-Youssef_Nadia.pdf. Open. Extract. Open with. Sign In. Main menu. Displaying ...
Ben Abel.pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. Ben Abel.pdf.
Ben Vodden.pdf
scared of such a big change. It felt good putting on my new uniform and getting my bag. ready with my new calculator, dictionary and sports kit. When I started ...
Ben Warner_Resume.pdf
The parent organization is MAKETANK, inc. SKILLS. Adobe Illustrator. Adobe Photoshop. Adobe InDesign. Adobe After Effects. Printmaking. Digital Photography.
Ben-Yehoyada_Naor.pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item.
BEN-P001_BenClaimsProcess.pdf
Page 1 of 2. BENEFITS VEHICLE ACCIDENT CLAIMS PROCESS (BEN-P001). DCSS – Benefits Department. 12-Apr-04; Rev. D Doc#: BEN-P001 Page 1 of 2.
Context-Aware Access Control for Collaborative ...
Due to availability of semantic search engines and open data like [49], this approach ..... Wikipedia: Access control — Wikipedia, The Free Encyclopedia. http:.